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Abstract. We present a set-theoretic, proof-irrelevant model for Calculus of Construc- 
tions (CC) with predicative induction and judgmental equality in Zermelo-Fraenkel set 
theory with an axiom for countably many inaccessible cardinals. We use Aczel's trace 
encoding which is universally defined for any function type, regardless of being impredica- 
tive. Direct and concrete interpretations of simultaneous induction and mutually recursive 
functions are also provided by extending Dybjer's interpretations on the basis of Aczel's 
rule sets. Our model can be regarded as a higher-order generalization of the truth-table 
methods. We provide a relatively simple consistency proof of type theory, which can be 
used as the basis for a theorem prover. 



1. Introduction 



Informal motivation. The types-assets interpretation of type theory in a sufficiently 
strong classical axiomatic set theory, such as the Zermelo-Fraenkel (ZF) set theory, has 
been regarded as the most straightforward approach to demonstrating the consistency of 
type theory (cf. |Aczel(1998)] and ICoquandClQQO)] ). It can be construed higher-order 
generalization of the truth-table methods. Such a model captures the intuitive meaning 
of the constructs: the product, A-abstraction, and application correspond to the ordinary 
set-theoretic product, function, and application, respectively. 

A straightforward model of type theory is very useful for establishing the consistency of 
type theory, and it can be used to determine the proof-theoretic strength of type theory (cf. 
[Aczel(1998) Dybjer(1991) , Dybjer(2000) , Werner(1997)| ). However, a higher-order gener- 



alization of the trivial Boolean model is not s o simple (cf. [Miguel and Werner(2003)| ) . The 
main cause of this problem, as identified by |Reynolds(1984)] , is the fact that type systems 
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containing Girard- Reynolds' second-order calculus cannot have the usual set-theoretic in- 
terpretation of types. The only way to provide a set-theoretic meaning for an impredicative 
proposition type is to identify all the proof terms of that proposition type: Proposition 
types are interpreted either by the empty set or a singleton with a canonical element. Thus, 
proof-irrelevant models are necessary for interpreting reasonable higher-order type systems. 

Set-theoretic models of type theory can be understood in a straightforward manner. 
[Werner(2008)j showed that they can be used as the basis of proof assistants in programming 
with dependent types. This is because they provide a mechanism to distinguish between 
computational and logical parts. Werner's system is a proof-irrelevant version of Luo's 
Extended Calculus of Constructions (ECC; [Luo(1989)] ), and the set-theoretic model is an 
extension of that of Calculus of Constructions (CC) defined by Miguel and Werner (2003)] . 



Luo's ECC is a Martin-Lof-style extension of CC, with strong sum types and a fully 
cumulative type hierarchy. At the lowest level, there is an impredicative type Prop of 
propositions. This is followed by a hierarchy of predicative type universes Type^, i = 
0,1,2,...: 

• Prop is of type Typep; 

• Type- is of type Type-^^^; 

• Prop -< Typog -< Type^ ^ • • • . 

Werner's system, however, does not include the subtyping rule Prop -< Typeg, which 
could complicate the model construction, as identified by Miguel and Werner (2003)] . Their 



model constructions cannot be extended to ECC. We will explain this in detail in Remark 

EH 

In this paper, we investigate the inclusion of Prop ~< TypeQ, and we show that type 
theory with judgmental eguality, a la Martin-Lof(1984)] , can have a simple proof-irrelevant 



model. We expect our results to play a key role in the theoretical justification of proof 
systems based on Martin-Lof-style type theory. 

Overview of the work. Martin-Lof type theory and Logical Framework include typing 
rules for the eguality of objects and types: 

r , AT A A Th M : A Th A = B , ^ 
Y h M = N : A and — — — — (conv) 

In particular, Barendregt's PTS-style /3-conversion side condition turns into an explicit 
judgment. Two objects are not just egual; they are egual with respect to a type (cf. 
Nordstrom et al.(1990) Nordstrom, Petersson, and Smith, Goguen(1994) , Aczel(1998)| ). 



The type system considered in our study is CC with predicative induction and judgmen- 
tal eguality. It is a type system with the following features: dependent types, impredicative 
type (Prop) of propositions, a cumulative hierarchy of predicative universes (TypeJ, pred- 
icative inductions, and judgmental eguality. 

The main difficulty in the construction of a set-theoretic model of our system stems from 
the impredicativity of Prop and the subtyping property Prop -< TypeQ. Without subtyp- 
ing, one could use the solution provided by [ Miguel and Werner(2003)] and [Werner(2008)| , 
whereby proof-terms are syntactically distinguished from other function terms. Thus, the 
problem lies in the case distinction between the impredicative type Prop and the predicative 
types Type^, whereas the subsumption eliminates the difference. An interpretation function 
/ : {0, 1} — )• V is reguired, where V is a set universe, that is different from the identity 
function. See Section [3] for further details. 
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For a set-theoretic interpretation of the cumulative type universes and predicative 
inductions, it is sufficient to assume countably many (strongly) inaccessible cardinals. 
[Werner(1 997)1 showed that ZF with an axiom guaranteeing the existence of infinitely many 
inaccessible cardinals is a good candidate. However, it is not clear whether the inaccessible 
cardinal axiom is necessary for our construction. The required feature of an inaccessible 
cardinal k is the closure property of the universe under the powerset operation. This is 
a necessary condition for the interpretation of inductive types. Following f Dybjer(1991)] , 
we use Aczel's rule sets to obtain a direct and concrete interpretation of induction and 
recursion rules. 

The remainder of this paper is organized as follows. In Section [2l we provide a formal 
presentation of CC with predicative induction and judgmental equality. Examples are 
presented to enable the reader to understand the syntax and typing rules. This section can 
be regarded as an introduction to the base theory of the proof assistant Coq. Indeed, the 
syntax we have provided is as close to Coq syntax as that used in practice, except for the 
judgmental equality and the restriction on predicative inductions^ 

The difficulties in providing set-theoretic interpretations of impredicative or polymor- 
phic types, subtypes, etc., are discussed in Section[3l We use the computational information 
about the domains saved in the interpretation of a : ^ to avoid these difficulties. This means 
that for the construction of set-theoretic models, type systems with judgmental equality are 
more explicit than systems without it. Using some typical examples, we explain the con- 
struction of a set-theoretic interpretation of inductive types and recursive functions. 

Finally, in Section HI we prove the soundness of our interpretation. The proof itself is 
relatively simple, and it can also be used to verify the consistency of our system. This is 
because some types such as n(a : Prop). a will be interpreted as the empty set; hence, they 
cannot be inhabited in the type system. 

In Section [Sj we summarize the main results, and we discuss related work for future 
investigation. 

2. Formal presentation of CC with judgmental equality 

First, we provide the full presentation of the system, i.e., Coquand's CC with judgmental 
equality and predicative induction over infinitely many cumulative universes. 

2.1. Syntax. We assume an infinite set of countably many variables, and we let x, Xi, X, Xi, .. 
vary over the variables. We also use special constants Prop and Type^, i € N. They are 
called sorts. Sorts are usually denoted by s,Si, etc0 



^We remark that many impredicative inductive types can be coded by impredicative definitions (cf. 



Girard et al.(1989)Girard, Taylor, and Lafont[|Coquand(1990)||Werner(1997)l ). 

"^In this paper, we do not consider the sort Set. Indeed, when (the impredicative or predicative sort) 
Set is placed at the lowest level in the hierarchy of sorts, as in the case of the current development of Coq, 
there is no way to provide a universal set-theoretic interpretation of both Set and Prop, as identified by 



Reynolds(1984) . Note, however, that Typeg in our system plays the role of the predicative Set. 
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Definition 2.1 (Terms and contexts). The syntax of the objects is given as follows. 
t,t',ti,A,Ai ::= x \ s \ Ux : t.t' \ Xx : t.t' \ let x := t \r\ t' \ tt' (terms) 
I case{t,t',t) I lnd„{A := A'} • x 
I fix Xi {xo/ko : Aq := to, . . . , Xn/K : An := tn} 

A, A' ::= [] | A, (x : t) (declarations) 

r,r' ::= []\r,{x:t)\T,{x:=t:t')\T,\ndn{A:= A'} (contexts) 
Here, [ ] denotes the empty sequence. 

Definition 2.2 (Atomic terms). Atomic terms are either variables, sorts, or terms of the 
form lnd„{A/ := Ac} • x. 

Definition 2.3 (Domain of contexts). The domain of a context is defined as follows: 

dom([]) := 0, dom(r, lndn{A/ := Ac}) := dom(r), 
dom(r, X = t : A) := dom(r, x : A) := dom(r) U {x}. 

Remark 2.4. 

(1) Vector notations are used instead of some sequences of expressions: 

• t := ti, ...,tn • ft := fti- ■ -tn 

• IIx : A.t := IIxi : Ai. ... Hxn '■ An. t • Xx : A.t := Axi : Ai. ... Xxn ■ An.t 

• x/k : A:=t := xo/ko : Aq := to, ...,Xn/kn : An := tn 

(2) Note that we use two subscript styles. One is of the form ti, ...,tn, and the other is of 
the form to, ■■■,tn, where ra is a natural number. The latter style will be used only in 
the definition of mutually recursive functions, i.e., in combination with fix. 

(3) Given a sequence £, let lh(i) denote its length. 

(4) In the examples presented below, character strings are used instead of single character 
variables in order to emphasize the correspondence with real Coq-expressions. 

(5) Given a declaration A and a variable x, let A(x) = A when A is the only term such 
that X : A occurs in A. 

(6) There are standard definitions of the sets of free variables in a context or a term, and 
of the substitution t[j;\M], where t, u are terms and x a variable. Formal definitions are 
given in Appendix lAl 

(7) Given a sequence 6 = xi : ti,...,Xn ■ tn and a term t, let t{6} := t[xi\ti] ■ ■ ■ [xn\tn] 
denote consecutive substitution. On the other hand, the simultaneous substitution of 
terms for respectively, in t is denoted by t[6] := t[xi\ti, Xn\tn]- 

To enable the reader to understand the intended meaning of terms and contexts, we explain 
some notations with examples. The examples will also be used in Section [3] to explain our 
model. 

Remark 2.5. The expression lnd„{A/ := Ac} denotes a (mutually) inductive type, and the 
subscript n denotes the number of parameters. Aj and Ac are two declarations containing 
inductive types and their constructors, respectively. The Parameters are binders shared by 
all the constructors of the definition, and they are used to construct polymorphic types. The 
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parameters differ from other non-parametric binders in that the conclusion of each type of 
constructor invokes the inductive type with the same parameter values as its specification. 
We refer to Lemma [3 .81 and Lemma [3.91 which show the difference between parameters and 
non-parametric binders. 

The mutual definition of trees and forests can be represented, for instance, by Vtf = 
lndi{A/ := Ac}, where 



The subscript 1 implies that {A : Type) is a parameter. 

Remark 2.6. liT> = lnd„{A/ := Ac} and x G dom(A/, Ac), then T) ■ x corresponds to 
the names of defined inductive types or their constructors. 

The type for natural numbers and its two constructors can be represented by Ptv • 
nat, Vn ■ 0, and ■ S, respectively, where Pat = lndo{A/ := Ac}, A/ = nat : Typeg, 
and Ac = : nat , S : nat nat . 

In the examples presented below, however, we use character strings for better readabil- 
ity. Thus, for example, nat, 0, and S are used instead of T>n ■ nat,Djv • 0; and D^r • S, 
respectively. 

Remark 2.7 (case and fix). The term case(e, Q, /i ) corresponds to the following Coq- 
expression 

match e as y in IZu return Quy with ••• | Cipv => hi \ . . . end 

where 

• the term e is of an inductive type I pu for some terms p, u, 



The term fix fi {f /k : A := t} denotes the {i + l)th function defined by a mutual re- 
cursion. The number ki denotes the position of the inductive binder on which recursion 
is performed for fi. It corresponds to Coq's struct annotation used for the guarded" 
condition in the termination check (cf. |Gimenez(1995)] ). 
(1) The addition function plus can be defined as follows: 

plus = fix / {//I : n(m, n : nat). nat := A(m, n : nat). case(n, Q, ho, hi)} , 

where Q = X{i : nat). nat, /iq = m, and hi = \{p : nat). S {f mp) . 



A/ 

Ac 



tree : Typeg Typeg, forest : Typeg Typeg , 
node : Il{A : Typog). A —?■ forest A tree A, 
emptyf : n(^ : Typeg). forest A, 

consf : Il{A : Typog). tree A — ?> forest A — )■ forest A . 
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(2) The functions for measuring the size of trees and forests can be represented by Tsize = 
fix go {R} and Fsize = fix gi {R}, where R = g / k : B := t, ko = ki = 1, and 



Bo 


= U{A 


■ Typep). Il{t : tree A), nat , 


Bi 


= U{A 


: TypeQ). n(/ : forest nat , 


to 


= X{A 


: Typeg). X{t : tree A). case(t, Qo, ho) , 


h 


= X{A 


: Typeg). A(/ : f orest case(/, Qi, /ii, /12) , 


Qo 


= X{t: 


tree A).nat , 


Qi 


= A(/ 


forest nat , 


ho 


= A(a: 


A).X{f -.forest A).S{gi A f), 


hi 


= 0, 




h2 


= X{t: 


tree A). A(/ : forest A). pins {go At) {gi A f) 



2.2. Typing rules. The typing judgment ri-M:^orri-M = A^:^is defined 
simultaneously with the property WJ-'{T) of a well-formed valid context and the prop- 
erty r h M ^ of cumulativity of types in Figures [T] ~ HI We provide short explana- 
tions of some rules. For a more detailed explanation, refer to Bertot and Casteran(2004)] , 
[Letouzey(2004)] , or |Pauhn-Mohring(1996)l . 



Typing rules for basic terms and valid contexts (Figure [T]). Typing rules for stan- 
dard constructions of A- and Il-terms are given. 

(wf): Well- formed contexts contain well-typed terms, and they can be extended by well- 
typed inductive types, as in rule (ind-wf) of Figure [2j 

(n) and {H-eq): V{si, S2, S3) implies that 

• S2 = S3 = Prop, or 

• si G Typej, S2 = Type^ and S3 = Type;;, where k > max{i,j}. 



Typing rules for inductive types and recursive functions (Figure [2]). Typing rules 
for (mutually) inductive types, case distinctions, and (mutually) recursive functions are 
given. 

(ind-wf): The positivity condition is crucial for defining an inductive type. A term A is an 
arity ending in sort s, Arity(^, s), if it is convertible to s or a product IIx : A.B, where B 
is an arity ending in sort s. A is called an arity, Arity (A), if A is an arity ending in sort s 
for some sort s. 

A term M satisfies the positivity condition for a variable x when M = Ily : A.xu 
for some terms A, u and the variable x occurs strictly positively in A. A variable x occurs 
strictly positively in M when 

• X does not occur in M , or 

• M = liy : A.[x B) and x does not occur in A, B. 

Now, X„(A/, Ac) represents the following conditions: 

• All the names contained in the domains of A/ and Ac must be mutually distinct and 
new. 
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T\- A: s xi. dom(r) t : A x4 dom(r) 

WF{0) — — (wf) 

WJ^{T,{x:A)) WJ^{T,{x:=t:A)) 



W-F(r) W-F(r) i < j 



r 1- Prop : Type- T h Type • : Type^- 

WT{r) {x:A)er or {x:=t:A)€r 
ThxiA 

r,{x:=t:A)hu:U 



r h let X := t in n : U[x\t] 

Tht = t' : A T,{x:=t:A)hu = u':U 
r h (let x — t'm u) = (let x -.= t' in u') U[x\t\ 

ThA:si T,x:AhB:s2 ^(^1,^2,^3) 
r h nx : A.B : S3 

T\-A = A':si T,x : A\- B = B' : S2 V{si, 82,83) 
r h nx : A.B = Ux : A'.B' : 83 

T,x:AhM:B T h Ux : A.B : 8 
r h Ax : A.M : Ux : A.B 

Th A = A' : 8 T,x : Ah M = M' : B T h Ux : A.B : s' 
r h Ax : A.M = Ax : A'.M' : Ux : A.B 

r h M : nx : A.B T \- N : A 

r h MN : B[x\N] 

Th M = M' -.Ux: A.B T h N = N' : A 
r h MN = M'N' : B[x\N] 



(ax) 
{var) 
{let) 
{let-eq) 

(n) 

{U-eq) 

(A) 
{X-eq) 
{app) 
{app-eq) 



Figure 1: Basic terms and valid contexts 

All the types of A/ and Ac start with the same n products, say, p : P. 

Any occurrence of some d € dom(A7) in Ac is of the form {dpu), which is not applicable 

any more. 

For all d : j4 G A/, A is an arity ending in sort 8^ such that 8^ 7^ Prop. Thus, we do not 
use inductive definitions of type Prop. Some propositions defined inductively can be con- 



structed using an impredicative coding. See [Girard et al.(1989)Girard, Taylor, and Lafont 
Coquand(1990)] , and [Werner (1997)] for further details. 



• For all c : T G Ac, T is the type of a constructor for an inductive type d G dom(A/), i.e., 
T is of the form Up : P. Uz : Z. {dpu). In this case, the sort 8c in the third premise of 
the rule must be Sd- 

• T satisfies the positivity condition for all x G dom(A/). 

Notation. We use F h lnd„{A/ := Ac} when all the premises of {ind-wf) are satisfied. 
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X„(A7,Ac) 
A:sd for all {d : A) e Aj 
r, A/ h T : Sc for all (c : T) G A^ 
WJ-(r, Ind^A, := Ac}) 

WT{r) V = Ind^A/ := Ac} G T d G dom(A/) 
T ^ V ■ d : /\i{d)[.\V] 

WF{T) V = Ind^Aj := Ac} £ T c E dom(Ac) 
T^V-c:Ac{c)[.\D] 



(ind-wf) 
(ind-type) 
(ind-const) 



lndn{A/ := Ac} G r (di-.Up: P. A) G A/ = n 

ThQ:B C{dip:A;B) The:dipu 

T\- hk-.Uv: Vk-Qwk jckpv) for all (cfc : lip : P. ITg" : V^. djpwk) £ Ac 

r h case(e, Q, (/ifc)A;) : Q'ue [case) 

lnd„{A/ := Ac} G r {d^■.Up■. P. A) G A/ = n 

rhQ = Q':S C{d^p:A;B) e = e' -.d^pu 

T\- hk = h'j^ : Ili; : Vk-Qwk {ckpv) for all (c^ : lip : P .Ilv : Vk- dipwk) G Ac 

{case-eq) 



r h case(e, Q, {hk)k) = case(e', Q', {h'j^)k) -.Que 
T{f, A,k,i) n = lh{k) (F h ylj : Si)vi<n (r, / : i* h : Ai)vi<n j < ^ 



{fix) 



r h fix {f/k ■.A:=t}: A, 

T{f, A, k, t) T{f, A' , k, t') n = lh{k) 
{T^ Ai=A[: Si)vi<n (r, f:A^ti=t[: ^i)vi<n 3 <n 



ifix-eq) 



r h fix {//A: ■.A:=t}= fix {//A; : A' := t'} : A,- 



Figure 2: Inductive types and recursive functions 

(ind-type) and (ind-const): Given T> = lnd„{A/ := Ac} and a term A, A[.\V] implies that 
every occurrence of z G dom(A7, Ac) in A is replaced with V ■ z. 

(case) and (case-eq): d-i and Ck denote lndn{A/ := Ac} • di and lndn{A/ := Ac} • Ck, 
respectively. Furthermore, lh(u) = lh(wk). 

For an inductive type d and an arity B, the relation C(dq : A; B) is defined as follows: 

• C(dq : Prop; dq ^ Prop); 

• C(dq : ProTp;dq — )• Type^) iff d is an inductive type that is empty or has only one 
constructoiH such that all the non-parametric arguments are of sort Prop; 

• C(dq : Type^-; dq ^ s) for any sort s; 

• C(dq: (Uu : U.A);(Uu : U . B)) iSC(dqu : A;B). 



This reflects the fact that no pattern matching is allowed on proof-terms, which would otherwise result 



in a paradox, as shown by Coquand(1990) 
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Th M :A Th M = N :A 



r\-M = M:A ThN = M:A 

r\-M = N -.A Th N = P:A 

r\- M = P :A 

r\- M : A Th A = B -.s T \- M = N : A F h A = B : s 
r\- M -.B Th M = N :B 

T,x : Ah M : B T h Ux : A.B : s T h N : A 
r h (Ax : A.M)N = M[x\N] : B[x\N] 

WJ^jT) {x:=t:A)er 
Th x = t:A 

Tht:A T,{x:=t: A)hu:U 
r h (let X — t'm u) = u[x\t] : U[x\t] 



{ref){sym) 
(trans) 
{conv)(conv-eq) 

(S) 

(C) 



lnd„{A/ := Ac} G r [di-.Up: P. A) € A/ lh{p) = n 
T \- Q : B C{dip : A;B) T \- Cj pa : dipu 

T \- hk -.Uv : Vk.Q Wk {ckpv) for all (cfc -.Ilp-.P.Uv: djpwk) £ Ag 

r h case(cj pa, Q, {hk)k) = hj a : Q u {cj pa) 

(r h Aj : Si)yi< n {TJ-.Ahti-. )vi<n J^if, A k, i) j <n 
R = f/k: A:=t Aj = Uxj : Bj. A'- T h a : Bj lh{Bj) = kj + 1 
r h (fix {R}) d = (tj[/A(fix fi {R})] a) : A'.{x : a} 



(0 



(0 



h Prop -< Typeo h Type^- -< Type^._^i 

r\- M ^p 

T\-A<B ThC-.s a;^dom(r) 
r,x:C\- A^B 

r h ^1 = ^1 : g T,x : All- A2 ^ B2 
ThUx: A1.A2 ^ Ux : B1.B2 

M = N:s rhM~<P T\-M = N:s T \- P ^ M 



r\- N -<p r\- p ~<N 

Th M -.A Th A^B r\- M = N -.A T \- A -< B 

T\- M iB r\-M = N:B 



[inc) 
(trans-inc) 

(weak-inc) 

(n-mc) 

(eq-inc) 

(cum)(cum-eq) 



Figure 3: Judgmental equality and cumulative type universes 
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This means that an object of the inductive type d can be ehminated for proving a property 
P of type B. Let C{dq; B) denote C{dq : A; B), where A is the type of dq. 

(fix) and {fix-eq): F{f , A,k,t) represents the fohowing conditions: 

• lh{f) = lh{A) = lh{k) = lh{t), 

• for each ti G t, there is an inductive type T> ■ d, where V = IndnjA/ := Ac}, and a term 
Tj such that 

— ti = Xy '.Y .\z : {T> ■ d) u. t'^, where lh(Y) = ki, and 

— there is a constrained derivation with respect to z and A/, Ac such that 

(y ■.Yr,z {V ■ d) u, (/ : A)f h t', :^ T[ 

where (/ : A)^ is the context composed of 

fj Il{u: Bjf.Yiv ■.'^ Xj .P^ 
if fj : n('u : Bj).Uv : Xj . Pj is from / : A and lh{Bj) = kj. 

The condition for constrained derivation ensures that the constructed terms are nor- 
mahzing terms. A formal definition is given in Appendix |Bj Informally, it means that 
ti can only contain decreasing recursive calls: if fj appears in ti, then it must have at 
least kj + 1 arguments, and its {kj + l)th argument must be structurally smaller than the 
initial inductive argument z (Thus, any subterm of an inductive term obtained by going 
through at least one constructor is structurally smaller than the initial term.). 

Judgmental equality and type universes (Figure [3]). The rules in Figure [3] stipulate 
that the judgmental equality based on reductions is an equivalence relation. De Bruijn's 
telescope notation is very useful: T \- t : A with lh{t) = n implies that 

• r, xi : Ai, : Aj-i h Aj : Sj for all j € {1, ^^}, and 

• T \- tj : Aj[xi\ti] ■ ■ ■ [xj_i\ij_i] for all j € {1, ...,n}. 



3. Set-theoretic model construction 



3.1. Background. We must resolve a dilemma related to the construction of a set-theoretic 
model of CC and its extensions. In a proof-irrelevant model, each type expression should 
have an obvious set-theoretic interpretation; however, it is well known that impredicative 
or polymorphic types, such as Prop, can only have a trivial set-theoretic interpretation, as 
shown by [Reynolds ( 1 984) ] . Hence, it is necessary to assign a singleton or the empty set to 
each term of type Prop. 

In constructing a set-theoretic model of Coquand's CC, [Miquel and Werner (2003)] 
provided the following solution. Under the assumption of the existence of a urelement • 
that does not belong to the standard universe of set theory, the sort Prop is associated with 
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{0, {•}}. Furthermore, the apphcation and A-abstraction terms are interpreted by app and 
lam, respectively, which are defined as follows: 



app(n, x) 
lam(/) 



• if n = • , 

u{x) otherwise. 

• if /(x) = • for all x G dom(/) , 
/ otherwise. 



Remark 3.1. This construction does not correctly model the cumulative relation between 
Prop and Type^, as demonstrated in the following example; [Werner(2008)] showed that 
it can be easily extended to the cumulative type universes when the subtyping relation 
between Prop and TypSj does not exist 

Consider / = : Typeg). A ^ A. Then, its type of set-theoretic interpretation is not 
deterministic. Suppose that P is a true proposition. Then, [[/ PJ depends on the type we 
have assigned to P, that is. Prop or Typeg. In the former case, ll P} = {•} since P P is 
a tautology, whereas in the latter case, {IP} = llJilP}) = {f \ f '■ {•} — > {•}} 7^ {•} since 

m = {•}• 



Another solution was provided by Aczel(1998)| . He used the trace encoding of functions 



in order to provide an adequate interpretation of the impredicative type Prop of propositions 
and its relationship with Type^. For this reason, we adopt Aczel's solution. 

Definition 3.2 (Trace encoding of set-theoretic functions). Let u,x,f denote sets. Then, 

app(n, x) := {z\{x,z)eu}, 

lam(/) := IJ {{x}xy) = \J {{x,z)\zey}. 

Note that for any function / and any x € dom(/), we have 

app(lam(/), x) = {y \ (x, y) g lam(/)} = {y\y£ /(x)} = /(x) . 

Notations. 

(1) In the remainder of this paper, | is used if something is well defined, and t is used 
otherwise. 

(2) Given sets A,B{x), x G A, let Yl^eA^i^) denote the set of all functions / such that 
dom(/) = A and /(x) € B{x) for all x £ A. 

(3) Given a function / E HxigAi " 'Ilxn<^An(xi,...,xn-i) B{xi, ...,Xn), we use the notation 
lamfi(/) (resp. and app(/, x)) for the n-times application of lam (resp. app): 

lam„(/) := {(xi, ...,x„,y) |xi G ^i,...,x„ G ^(xi, x„_i), y G /(xi, x„)} 

apPn(/,^) := app(...(app(app(/,xi),x2),...),x„) 

We suppress the subscript n when the number of times we want to apply lam or app is 
obvious from the context. Note that lamo(/) = / and apPo(/, nz/) = /. 

Lemma 3.3 ( [Aczel(1998)] ). Given a set A, assume B[x) C 1 for all x G A. 

(1) {\amif)\f€UxeABix)}Cl. 

(2) {\amif)\feUxeABix)} = ltffyx€AiBix) = l). 
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Proof. Let / G Ux€aB{x), i.e., 

ii3x e A{B{x) = 0) 
{{x, 0)\x G A} otherwise. 



/ 



Then, we have 



lam(/) 



t ii3x e A{B{x) = 0), 
otherwise. 

This also imphes that {lam(/) | / € fl^g^ B{x)} = 1 iff Vx € A {B{x) = 1). □ 

Remark 3.4. A useful feature of trace encoding is that app(u,a) and lain(/) are always 
defined for any sets u, a, /, including the empty set. This, however, implies that we some- 
times lose the information of the domain of a given function /, i.e., we cannot trace back 
to dom(/) starting from lam(/). We will see that the use of judgmental equality enables us 
to avoid such a loss when only well-typed terms are involved. 



3.2. Inductive types and rule sets. Here, we follow the approaches of [Aczel(1998)| and 
[Dybjer(1991)] for the construction of a set-theoretic interpretation of inductive types. We 
are particularly interested in rule sets. 

We are going to work on the basis of ZF set theory with an axiom guaranteeing the 
existence of countably many (strongly) inaccessible cardinals. Note that such an axiom 
is independent of ZFC. [Werner(1997)| showed that such an axiom is sufficient for a set- 
theoretic interpretation of the cumulative type universes and predicatively inductive types. 
However, it is not clear whether this axiom is necessary for our construction. Indeed, the 
required feature of an inaccessible cardinal k is the closure property of the universe Vk under 
the powerset operation. This is a necessary condition for the interpretation of inductive 
types. 

Henceforth, assume that there are countably many (strongly) inaccessible cardinals. 
Let Ko = oj and ki,K2, ... enumerate these inaccessible cardinals. We associate each sort 
TypGj with its rankilj^Bj) := k,. If {ya)a£Ord denotes the (standard) universe of sets 
defined as follows, then is a model of ZF: 

Vo := and := |J V{Vp) if a > 

Ord denotes the class of all ordinals, A denotes a limit ordinal, and V denotes the power 
set operator. In particular, if k is an inaccessible cardinal, A E V^, and for every a G A, 
Ba G Vk, then, riapA ^ Let ranfc(Prop) := —1 and V-i = {0,1} for convenience. 
Refer to [Drake(1974)] for further details about inaccessible cardinals. 

A rule on a base set C/ is a pair of sets {u, v), often written as ^, such that u CU and 
V G U. A set of rules on U is called a rule set on U. Given a rule set $ on J7, a set w 
is <l>-closed if for any ^ E f € li^ whenever u C w. Note that there is the least ^-closed 
set 

X($) := ^{w QU\w ^-closed} . 

In fact, it is well known that each rule set ^ on U generates a monotone operator on V{U) 

u 

r$(X) := {v G U \ there exists some u C X such that — G 

V 
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such that X(<^>) is the least fixed point of T^. Assuming that $ is a rule set on / x [/, $ 
defines a family IJ^{^) of sets in U over / as 

Xjr($)(i) := {n G [/ I {i, u) G X($)} 

for each i €z I. 

A rule set is deterministic provided that it contains at most one rule with a given 
conclusion. The rule sets defined below by an inductive definition are deterministic. This 
makes it possible to interpret functions defined by structural recursion on a certain inductive 
type as set-theoretic functions. The interpretations are defined on the corresponding set- 
theoretic inductively defined set, which is the fixpoint of a monotone operator. Refer to 
[Aczel(1977)| and [Moschovakis(1974)" Moschovakis (1980)] for further details about rule 



sets, monotone operators, and fixpoints. 

Below, we describe the interpretations of inductive and recursive types with some ex- 
amples. Given a well-defined (mutually) inductive type lnd„{A/ := Ac}, where 

Aj = xq : Ai, ...,Xi : and Ai = lip : P.Uai : Bi. Si , 

let rank{xi) := rank(si). 

Notations. 

(1) With each context F, we associate a set [[rj of T-valuations of the form {ai, ■ ■ ■ ,an), 
where n is the length of F and (, ...,) denotes a sequence of a finite length. Given a 
sequence L = {ai, ■ ■ ■ ,an) and a natural number i < n, we set (L)j = a^+i. If ai+i 
itself is a sequence of length m, then we write {L)ij for {ai+i)j if j < m, etc. 

(2) a,l3,ai,l3i vary over single values while 7, (5, 7j,(5j vary over valuations, nil denotes 
the empty sequence. Given two valuations 7 and 6, the notation 7, 6 denotes their 
concatenation. U S = (a), then we write 7, a instead of 7, (a). 

(3) With each pair (F, t) formed by a context F and a term t, we associate a function [F h tj 
that is partially defined on F-valuations: [F h t]]^ denotes [F h t]](7) when 7 E [FJ. 

(4) In the following, we write [tj for [F H if F and 7 € [FJ are fixed in the context. 
Similarly, we use the notation u G lAJ for ui G [F h Ai}^, ti„ € [[F,xi : Ai, ...x„_i : 
An-i \- ^n)l7,iii...M„_i for some context F and F- valuation 7 € [F]. 



3.3. Interpretation of inductive types. Here, we claim the existence of the interpre- 
tations of inductive types that satisfy the soundness of the rules (ind-wf), {ind-type), and 
(ind-const) when the conditions in the typing rules are fullfilled. The formal definition is 
given in Appendix O Refer to [Dybjer(1991)| , whose idea is generalized in this paper. 

Lemma 3.5. Suppose F h P, where V = lnd„{A/ := Ac}. Let 7 G [F] be given. As 
mentioned before, we suppress F and 7 for better readability. Further suppose that 

A/ := do : Ao, de : Ai , Ac := ci : Ti, Cm ■ Tm , 

Ai := Up : P. Ubi : Bi. Si , Tk := Up : P. Uzk : Zk-di^ptk . 

Then, there is some rule set $ such that the following interpretation of D ■ di and T> ■ c^ 
satisfies the soundness of the rules (ind-type) and (ind-const) : 

. iV-diJ := lam(/i) where fi(p,bi) := ZT(^)(i,pM) forp,b,: [P, B^] , 
• P • Cfcl := \am(gk) where gk(p, z^) := {k, z^) for p, 4 : |P, Z^] . 
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Remark 3.6. The positivity condition is crucial for showing that the construction of the 
rule set $ in Appendix [C] is well defined. 

The elements of our rule sets $ are of the form , ^ J* , where i denotes the ith. 

inductive type di, p denote the parameters, t denote the non-parametric arguments of di, 
j denotes the jth constructor of di, and v denote the non-parametric arguments of the jth 
constructor. Note that p, t, v could be empty. 

Example 3.7 (Natural numbers). Let Pat be the inductive type for natural numbers, as 
in Remark 12.61 Then, 



{v} 



JO,(l))j \{0,{2,v)) 

[natl = I.F($nat)(0), M = (1), and app([Sl,n) = (2,n) for any n G [nat]. 

Example 3.8 (Inductive families). The following Coq-expression shows a typical use of 
inductive families. 

Inductive toto : Type -> Type := 
I Yl : forall x : Type, toto x 

I Y2 : forall x : Type, toto nat -> toto x -> toto x. 
The inductive type toto can be represented by Vfoto = lndo{A/ := Ac}, where 
Aj := toto : Type^ Type^ , 

Ac := Yl : IIx : Type^^. toto x, Y2 : IIx : Type^^. toto nat — )> toto x toto x . 



Then 







x G > U < x,vi,V2€Vki 



1^ (0,x, (l,a:;)) 'j {0,x, {2,x,vi,V2)) 

app([totol,x) =2:j-(«>toto)(0,x), app([Yi],x) = and app^Ya], x, a, 6) = (2,x,a,6), 

where x G V^^, a G app(|toto]], |nat]), and b G app(|toto]], x). 

Example 3.9 (Inductive types with parameters). The following Coq-expression shows a 
typical use of parametric inductive types. 

Inductive titi (x : Type) : Type := 
I Zl : titi X 

I Z2 : titi nat -> titi x -> titi x. 
The inductive type titi can be represented by 'Duu = lndi{A/ := Ac}, where 
A/ := titi : Type^ ^ Typeg , 

Ac := Zl : IIx : Type^. titi x, Z2 : IIx : Type^. titi nat — )■ titi x — ?• titi x . 



Then, 
$titi 







In j {(0,[natl,z;i),(0,x,t;2)} ^ , . ^ , . 

X G > U <^ X G Vki, vi,V2 G 



(0,x,(l)) (0,x,(2,7;i,z;2)) 



app([titi],x) = I.F($titi)(0,x), app(|Zil,x) := (1), and app([Z2l, x, a, 6) := (2, a, 6), 
where x G V^i, a G app(|titi]], JnatJ), and b G app([[titi]], x). 
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Remark 3.10. Note that in Coq, toto cannot have Type -> Set as its type, unhke titi. 
This difference is also reffected in their interpretations. 

Example 3.11 (Mutually inductive types with parameters). Two inductive types tree and 
forest defined by "Dtp in Remark 12.51 can be interpreted by means of the following rule 
set: 



{0,A,{l,a,vi)) 



A,vi G V«o,a G A 



U 







(2)) 



AeV,. 



u 



{{0,A,vi),{l,A,V2)} 
{1,A, {3,vi,V2)) 



A,Vi,V2 € Vk 



3.4. Interpretation of well-founded structured recursion. A set defined by a (mu- 
tual) induction generates a canonical well-founded relation on the set, i.e., the relation 
defined according to the inductive construction of the elements, the so-called structurally- 
smaller-than-relation. This is the basis for the discipline of structural recursion, which 
stipulates that recursive calls consume structurally smaller data. 

Here, we claim the existence of the interpretations of recursive types that satisfy the 
soundness of the rules (fix), (fix-eq), and (l). A formal definition is given in Appendix [Dl 
Refer to Dybjer(1991)] , whose study provides the basic idea. 



Lemma 3.12. Suppose T h fix {R} : Aj, where 



R = f/k : A:=t, Ai = Uxi: Bi. A[, lh{Bi) = ki + l, i < n, 

(T h Ai : Si)^i<n, (r,/: A h ti : ^i)vi<„, T{f,A,k,i). 

Let 7 € [rj he given. We suppress T and 7 for better readability. Then, there is a rule 
set ^ such that the following interpretation o/fix fi{R} satisfies the soundness of the rules 
(fix), (fix-eq), and (t): 

• [fix fi{R}j = lam(/i), w/iere /i(ai, a^^, (fc, 4)) = TJ'(^')(ai, a^^, (fc, 4)) /or a, (A;, 4) G 

Remark 3.13. The condition for constrained derivation is essential. Indeed, constrained 
derivation corresponds to guarded recursion defined by [Gimenez (1995)1 ; hence, it guaran- 
tees that the construction of the rule set ^ in Appendix O is well defined. 

The elements of our rule sets ^ are of the form ,^ , where k denotes the kth 

constructor of the inductive type d on which the recursion is performed, y denote the non- 
parametric arguments of d, x denotes the list of rest arguments of the constructor, and b is 
the result of the function. Note that x, y could be empty. 

Example 3.14 (Primitive recursion). The Coq-expression stated below is a general form 
of primitive recursion. 

Fixpoint PRec (A:Type) (g: A) (h:nat -> A -> A)(n:nat) {struct n} : A := 
match n with 
I => g 

I S p => h p (PRec A g h p) 
end. 
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The corresponding term is PRec := fix /o {/o/3 : B := t}, where 

B = n(^ : Type-).n(5r : ^).n(/i : nat ^ A).n(n : nat).nat , 

t = X{A : Type^). X{g : A). X{h : nat A A). X{n : na.t).case{n,P,hi,h2) , 

P = X{£ : nat).^, hi = g, and /12 = X{p : nat). hp (fo Ag hp). [PRec]] is characterized by 
the following rule set ^I'pRec := 

'' ^ 

A eVi^^,g e A,h e [nat ^ A Aj 



u 



{A,g,h,{l),g) 

{{Ag,h,p,v)} 

{A,g,h, {2,p),appih,p,v)) 



A G V^^,g £ A,h£ l]nat A ^ A},p G [nat]],i; G A 



Given a type A, [PRec^J denotes the primitive recursor with values from A. For 
instance, 

appdplusj, m,n) = X7'(Prec)(|nat],m, |/i],n) 
where h = X{p : nat). X{i : nat). Si and m,n £ l]nat]]. 

Example 3.15 (Mutually recursive functions). The interpretations of Tsize and Fsize 
from Remark 12.71 are characterized by the following rule set ^'size := 



{{AJ,v')} 



U 



u 



{A,{l,a,f),lSv' 
^ 



A G V«o,/ G app(|forestl,A),t;' G [natl,a G A 



AeV,. 



{{A,t,v[),{AJ',v'^)} 
{A, (3,i,/'),app(Iplusl,^;i,^;^)) 



A G VK(,,t G app([treel,A), 

/' G app([forest],^),z;;,z;^ G |natl 



4. Set-theoretic model and soundness 

Since the denotations fTj and [F h tj will be defined by mutual induction on the size of 
their arguments, we need a size function | ■ | that guarantees the termination. In particular, 
the following properties should be satisfied: 

• |r| <\rh A\< \r,x a\, 

• |r h t\, \T\- A\< \r,x := t : A\, 

• \Ai{d)\, IAc(c)| < |lndn{A/ := Ac} • x\ for all x G dom(A/, Ac), d G dom(A/), and 
c G dom(Ac), 

• \Ai\, \tj\ < \f/k : A:=t\ for aU A^ e A and tj G t. 

An adequate size function can be defined by a simple extension of the one defined by 
Miguel and Werner (2003)] : 

• The size |t| of a term t is (recursively) defined as the sum of the sizes of its immediate 
subterms plus 1. 
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The immediate subterms of lndn{A/ 
dom(A/) and c G dom(Ac). 



Ac} • X are Ai{d) and Ac(c), where d € 



- The immediate subterms of fix fj {f /k : A := t} are A,t. 

• The size of a context F is defined as fohows: 

- l[]l = l/2, 

- |r,(x : t)\ = \T\ + \t\, 

- |r, {x:=t: A)\ = \r\ + \t\ + 1^1, 

- |r,lnd„{A, := Ac}| = |r| + i. 

• |r h t| = |r| + \t\ - i. 

Remark 4.1. As mentioned in Remark 13.6! and Remark 13.13^ the positivity condition and 
the condition for constrained derivation play a crucial role for establishing the soundness 
proof of Theorem I4.4I 

Definition 4.2. The set-theoretic interpretations of [rj and [[7 h tj are defined by a mutual 
induction on the size of their arguments. 

(1) For each context F, the set [F] is defined as follows: 

mi ■■= {nil}, 

lT,x:A} :={7,a|7G lF],[FhA]^i and a G [F h A]^}, 
[F, X := t : := {7, a I 7 G {T} , {T h Aj, i, [F h tj, i 
and a = [F h t]^ G IF h Aj^}, 
[F,lnd„{A, := Ac}} := {7!7G[rl}. 

(2) The interpretation [[F h t] of a term t in a context F is a partial function defined on 
|F1: Given7G[Fl, 

{0,1}, 

ai if X is the ith declared variable in F, (*) 
{lam(/) : / G n^ejrhAlJr,x : A h 5](^,„)}, 
lam(a GfTh A}^^lr,x:Ah tj(^^^o^^), 



[F h Prop]^ 
[F h TypeJ^ 

|F h nx : A.Bj^ 
[F h Ax : A.tj^ 
[Fhtnl^ 
[F h let X := t in u}^ 



app(lFhtl^,[Fh^xy, 



(t) 



[F, (x ■.= t:A)h uj^^irht}-,, 
where ^ is such that [F h t] G [F h ^J, 
[F h lnd„{A/ := Ac} • zjj := as explained above if defined, 
[F h case(e, P, Ml, . . . , := app([F h M,-l, ([F h el)i, ([F h el),) 

if (|F h e]l)o = j where //i(e) = g + 1, 

[[F h (fix /j {//A; : A := t})}^ := as explained above if defined. 
(*) If X G dom(F), then the occurrence should be unique. 

(I) A could be any term with the given property since the interpretation, when defined, 
is independent of it. 

The following lemma is crucial for the soundness proof. 



18 



G. LEE AND B. WERNER 



Lemma 4.3 (Substitutivity). Let T be a context and let u,A be terms such that h 
lij-y S [r h AJ^ for some 7 € [F] (assuming that both of them are defined), and write 
a = [r h n]^ . 

(1) Suppose (7,a),<5 elT,x: A,Aj. Then, 7,^ G [[F, A[x\n]]l. 

(2) Suppose (7, a),5 € {T^x : A, A} and |r, x : ^4, A h t](^^Q,)^5 i- Then, 
. lr,A[x\n] ht[x\n]l-,,5|- 

• IT, A[x\u] h t[x\u]j^,s = ir, X : ^, A h tj^^^^^^s = lT,x := u : A, A h . 

Proof. The assertions are proved for each A and t by a mutual induction on the size of their 
arguments. In particular, given A, the first assertion is proved before the second one for all 
t. In the case of A = [], the claims are obvious. Assume that A = Ao,y : B and 6 = 5o,j3. 
The other cases can be considered similarly. 

(1) (7, a), (5o, /3 G [r, X : A, Aq, y : B\. Then, using the I.H. of the second claim, we have 

/3 G [r,x : A, Ao h 5]^,„,5o = ir, Ao[xV] h B[x\u%,5, . 

That is, 7,'5o,/3 € [F, Ao[x\n],2/ : B[x\u]l 

(2) We proceed by induction on t. If t = x, the claim follows because [[F h u]^ | implies 
that [[r,A[x\ti] h u\^^5 4 and [[r,A[x\n] h nj-y^^ = [[F h u]^. This is because the 
interpretation of u does not depend on dom(A). Other cases can be easily shown by 
using induction hypotheses. 

□ 

Theorem 4.4 (Soundness). Our type system is sound with respect to the set-theoretic 
interpretation defined in Definition \^.S\ in the following sense: 

(1) IfWT{T), then [F] is defined. 

(2) If T \- M : A, then [FJ is defined, and for any 7 G [FJ, it holds that [F h MJ^ and 
\r h A\-y are defined, and that 

[FhMl^GjFh^l^. 

(3) If T M = N : A, then [FJ is defined, and for any 7 G [FJ, it holds that \T h M}^, 
[F h N\^, and \r \- A\^ are defined, and that 

[FhMl^ = [FhAr]^G[Fh^l^. 

(4) //F h M ^ N, then [FJ is defined, and for any 7 G [F]], it holds that [F h and 
\r h N'\^ are defined, and that 

[FhMl^C [FhiVl^. 

Proof. We proceed by a simultaneous induction over the typing derivation. The cases 
{wf), {ax), (var), (weak), and (weak-eq) are obvious. 

(n) Suppose 

F h ^ : si T,x : Ah B : S2 
F h nx : A.B : S3 . 
By I.H., it holds that [F h Aj^ G [F h si]^ and [[F,x : ^ h G [[F,x : ^ h S2j-y,a for ah 

a G [F h A]^. Now, we need to show that 

[F h nx : A.Bj-y G [F h S3I7 • 
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If S2 = S3 = Prop, then Lemma [3^ implies the claim. Assume si = Type^, S2 = Type^, S3 = 
Type^, and i,j < k. Then, [F h S3]] = Vk^, where is the kth inaccessible cardinal; hence, 
Vkj. is closed under the power set operation. 

The cases (H-eq), (A), and (X-eq) are obvious. 

(app) Suppose 

Th M :Ux: A.B T ^ N : A 

r h MN : B[x\N] 

By induction hypothesis, it holds that [T h Nj^ G [T h Aj^ and h MJ^ = lam(/) for 
some function / with dom(/) = h A| and /(a) € [F, x : A\- Bj-f^a for any a € []F h AJ^. 
Thus, we have 

[F h MNj^ = app([F h Ml^, [F h N}^) = /([F h iVl^) 

Glr,x:Ah Bl^,|rh^j^ = [F h i?[x\iV]l^ . 

The cases (app-eq), (let), and (let-eq) are similar. 

The soundness of (ind-wf), (ind-type), and (ind-cons) are obvious from the interpre- 
tation constructions. The interpretations of inductive types and constructors are possible 
because of the induction hypotheses. This is the same for (fix), (fix-eq), {case), and 
(case-eq). 

The cases (ref), (sym), (trans), (conv), and (conv-eq) are obvious. 
Suppose 

T,x:AhM:B Fhy4:si F,3;:^h^:s2 T h N : A 
F h (Ax : A.M)N = M[x\N] : B[x\N] . 

It remains to show that [F h (Ax : A : M)Nj^ = lM[x\N]j^: 

|F h (Ax : A : M)N}^ = app([F h Ax : A.Mj^, [F h Nj^) 

= app(lam(a G [F h A]^ ^ [F, x : ^ h Ml^,„), [F h Nj^) 

= [F,x: AhMl^^jrhTV], 
= lM[x\N]}^ 

by Lemma His] because we know that []F h A^J^ G JF h A]^ by induction hypothesis. The 
judgmental equality plays a crucial role in this case. 

The case {5) is obvious, and the case (C) follows from Lemma 14.31 and induction hy- 
pothesis. The case (t) is obvious by definition. The cumulativity rules are obviously sound. 
Finally, the soundness of the the constrained typing rules in Figure [5] follows directly from 
the arguments stated above. □ 



Theorem 4.5 (Consistency). There is no term t such that h t : Fix : *.x 
Proof. Note that [h Fix : *.x]iiii = • 



□ 
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5. Conclusion 

We identified some critical issues in constructing a set-theoretic, proof-irrelevant model of 
CC with cumulative type universes. Our construction reconfirmed that proof-irrelevance 
is a subtle and difficult subject to tackle when it is combined with the subtyping of the 
universes, in particular, Prop -< Type. We showed that the set-theoretic interpretation 
can be relatively easy when we work with judgmental equality. We believe that our study 
provides a (relatively) easy way for justifying the correctness of type theory in Martin-Lof- 
styled, i.e., with simple model and, in particular, no proof of the strong normalization, 
which is usually very difficult to establish. 

Besides the historical importance of Martin-Lof-style type theory and the technical 
difficulties with external /3-reduction, there is another theoretical and practical reason for 
studying type systems with judgmental equality. In general, the equivalence of two systems 
with or without judgmental equality remains an open problem. Proving the equivalence of 
two systems with or without judgmental equality is not a simple task, even though some 
positive results have been achieved by |Coquand(1991)] , |Goguen(1994)| |Goguen(1999)] , 



[Adams (2006)1 , and Siles and Herbelin(2010)| . However, they are not sufficiently general 



to cover the case with cumulative type universes. Although [Adams(2006)| mentioned that 
it might be possible to extend his proof to more general systems with unique principal 
types instead of type uniqueness as in the case of Luo's ECC |Luo(1990)[ |Luo(1994)] and 
Coquand's CIC, it still remains an open question. 

A positive consequenc e of the work of [Adams(2006)] and [Siles and Herbelin(2010)| is 
that the failed attempt of Miquel and Werner(2003)[ , i.e., without using sorted variables. 



would work if one first considers the system CC with judgmental equality and uses its 
equivalence to the usual CC. This is indeed the case for the model construction described 
in this paper, where we restrict the model construction to CC. 
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Appendix A. Definition of free variables and substitution 
The definitions of the sets of free variables in a context or term are standard. 

{u if X = y, 
y otherwise, 



y[x\u 
s[x\u 
{Uy : A.B)[x\u 

{Xy : A.B)[x\u 

(let y := ti in t2)[x\u 

{h t2)[x\u 
case(e,P, /) [x\u 

{\ndn{Ai := Ac}-y)[x\u 



(fix yi{y/k : A := t})[x\u 



{Uy : A[x\u].B ii x = y, 

Uy : A[x\u].{B[x\u]) otherwise, 

{Xy : A[x\u].B ii x = y, 

Xy : A[x\u].{B[x\u]) otherwise, 

f (let y := ti[x\u] in t2) if x = y. 

Met y := (ti[x\u]) in t2[2;\'u] otherwise, 

{h[x\u\){t2[x\u]), 

C3LSe{e[x\u], P[x\u], f[x\u]), 
(lnd4A/ := Ac} ■ y) 

if x G dom(A7,Ac) or FV{u) ndom(A/,Ac) / 0, (f) 
(lnd„{A/[a;\u] := Ac[x\ti]} • y) otherwise. 



(*) 
(*) 
(*) 



fix {y/k : A:=t] 

if X £ [y] or FV{u) n {y} / , (f) 
fix yi {y/k : (^[x\n]) := t[x\ti|} otherwise. 

(*) By using a-conversion, if needed, y is assumed to be not free in u such that the variable 
condition is satisfied. 

(t) The variable condition here implies that the names of inductive types, constructors, and 
recursive functions are uniquely determined, and that they will never be changed once they 
are defined. Thus, these names are bound variables that differ from variables bound by 11 
and A. 



Appendix B. Constrained typing 

Note that not all fix-point definitions can be accepted because of the possibility of non- 
normalizing terms. If one of the arguments belongs to an inductive type, then the function 
starts with a case analysis, and recursive calls are performed on variables coming from 
patterns and representing subterms. This is the usual restriction implemented in Coq 
when a case distinction with respect to a distinguished inductive type in a definition of a 
(mutual) recursive function occurs. These restrictions are imposed by the so-called guarded- 
by- destructors condition defined by [Gimenez ( 1 995) ] . Here, we follow the simplified version 
given by [Paulin-Mohring( 1996) | by using constrained typing. 

The constraints will be imposed with respect to a variable z and an inductive specifica- 
tion A/, Ac, and they have three forms: the empty constraint e, the constraint <z, which 
describes the structural smallness with respect to z, and the constraint which describes 
the equivalence to z. The constraints will be added to any occurrence of a variable in a 
term. Let c, d, ... vary over constraints. The judgments of constrained typing have the form 
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lnd„{A/ := Ac} G r {di :Up: P.A) (£ Ai lh{p) = n 
T\-Q:'B C{dip: A;B) r\-e:''dipu 
r h /tfc :d U{v : Vk)<''.Qwk jckpv) for all (c^ :Up:P.Uv: Vk- djpwk) £ Ac 

r h case(e, Q, {hk)k) -.^ Que 

T^M:s W.F(r) x-.'^AeV r h t :^ ^ 

W-F(r, x :^ M) r h X :^ A T h t :^ yl 

rhyl:^si r,x:^Ah^:^S2 ^^(51,^2, S3) 
r h nx :^ S3 

A = A' Si r,x Ah B = B' S2 Visi, 82,83) 

r h nx i'^ A.B = Ux :^ A'.B' f S3 

ThA:^8i T,x Ah B S2 
T,x Ah M ■.'^ B 

r h Ax :^ A.M -."^ Ux A.B 

Th A = A' si T,x Ah B -.^ S2 
r,x Ah M = M' ■.'^ B 

r h Ax :^ A.M = Ax :^ A'.M' :^ Ux :^ A.B 

T h M ■.'^ Ux A.B T h N A 
r h MN -."^ B[x\N] 

T h M = M' ■.'^ Ux A.B T h N = N A 
r h MN = M'N' ■.'^ B[x\N] 

Figure 4: Constrained typing 

T h M -.^ N, where the constraints are added to all the variables from dom(r). M^ and F^ 
denote the term M and the term sequence F, respectively, where only the constraint e is 
added. 

Given a constraint c, the constraint <c is defined as follows: 

<e:=e, <^ :=<z , «z ■.=<z . 

The following defines the restriction of a recursive call of inductive type when defining a 
mutual recursion. Given a declaration A, A^ is defined as follows: 

([]r :=[], 

(A, X : A)<^ := A<", x:^ A if FV{A) n dom(A/, Ac) = 0, 

(A, X : A)^ := A<", x :<" A if FV{A) n dom(A/, Ac) / 0. 

F^ is defined similarly for a term sequence F. In Figure [H we list the rules for constrained 
typing. The omitted rules contain only the empty constraint e. 
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Appendix C. Interpretation of Inductive types 

Suppose r h D, where V = lndn{A/ := Ac}, and 7 G JFJ. As mentioned before, we 
suppress F and 7 for better readability. Suppose that 

A/ := do : : , Ac := ci : Ti, Cm ■ Tm , 

Ai := Up : P. Ubi : Bi. Si , Tfc := Up : P. Uzk : Zt- di^ptk , Zkj := n-Ufcj : Hkj. di^,^ p Wkj , 

where lh{p) = n, lh{Bi) = (i, lh{tk) = ii^, j G u{k) := {j \ FV{Zkj) fl dom(A/) / 0}, and 
iki^kj < ^- Furthermore, is defined as 

Zk,j if j ^ i^fc, 

^ Uukj : Hkj-d'i^^ ifjeuk, 

where d[^ . are fresh variables. Further, we suppose that [P], [[Z^Jp^,, ... are already well 
defined below in the definition of $ (This will be the case by induction hypothesis.). 
Then, we set {Vj := where $ := 

I I I \ f[JjeuA(^kj,pdwkJpA,u,app{zkj,u))\uelHkJ^^^ 1 

y HI ..^..M.izj„.|. 

Here, m := {k \ di^ = di}, and pk associates Vk^^j^^, with d'-^^, where r{k,j) := rank{di^ .). 

We also set {V ■ di} := lam(/0, where fi{pA) = ZF{^){i,p,hi) for pX : lP,Bij, and 
I'D ■ Ckj ■■= \am{gk), where gk{p, Zk) = {k, Zk) for p, Zk : [P, Z^]] . 

Appendix D. Interpretation of well-founded structured recursion 

Below, we use the same notation as that used in Appendix O for the inductive types on 
which the recursive call is running. 
Suppose F h fix /£ {R} : Aj, where 



R := f/k :A:=t, Ai = Uxi : Bi. A[, lh{Bi) = h + l, i < n, 

{T h Ai : Si)\/i<n, {T,f:Ahti:Ai)yi<n, J^{f,A,k,i). 

Let 7 G [F] be given. We suppress F and 7 for better readability. Then, Jfix {R}} will 
depend on the i-reduction. 

Suppose F h a,afc^+i : Bi, where a^^+i = Tkpuk, and P^,fc^+i = Xi^ptk, i.e., k G m^, 
and that a,p are all fresh variables, while Uk represents a branch in the tree-like structure. 
All the free variables occurring in Uk should be fresh. Then, {ti[fi\{i\x fi {R})]) a{Tkpuk) 
/3-, i-reduces to the term ^ which is obtained from the node term of the branch which 
Tkpuk represents. 

Suppose that for some g^^ki h^^k £ N, n'^, u'g^ ^ , u'g^ u'^^ ^ list all the subterms of 

Mg^k that are structurally smaller than Uk- Each u'^ with q < gi^k occurs as the {k^^ -\- l)th 
argument of (fix {R})- Thus, 

((fix/,, {R})bn, <) 
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is a subterm of Mj^k for some bjiq '■ Bn^^i, B^i^^k^^. Note that each u'g is an argument 
of some constructor : Hp : P. Uzmq '■ ■ ptmg such that the head of is 
of some type Z„,^j, = nn,„^j, : i?r«„j„- •Xi™,,,, #^j"7m,j, and that Xi^^^^^ = Xi„^ ii q < ge^k- 
Furthermore, we suppose that u'^^ , Ug^ are ah terms among u'l, u'^^ ^ , which are headed 
by some variables. 

Thus, u' = a' n' , for a variable a' of type 

Zniq^ ,jqr ~ ^'^mq^ ,jq^ '■ Hniq,. ,jq^ ■ ^i^^^ P WjUq^ Jq^ 

and for some terms u' ■ . Note that a' , ...,a' are exactly the free variables occurring 
in Uf;. Suppose that u'q^^, ■■■,u'q^ arc all such terms structurally smaller than u'^. Then, 

Ug = {XUrUq^^ ,jq^^ ■ Hrriq^^ ,jq^^ ■ ■■■ XUrUq^^ ,jq^^ ■ HrUq^^ ,jq^^ ■ Ug) Umq^^ ,jq^^ ' ' ' '^TUq^^ ,jq^^ 

for some u'g. Similarly, Mg^k can be written as follows: 

{XUmq^^ J^T-i ■ ^'^qri Jqri " "• ^^-^qTq Jqrq " ^"^qrq Jqrq ' (^'^ f i^}) ^Uq Ug) '^TUq^^ ,jq^^ ' ' ' ^niq^^ ,jq^^ 

where 

Ug = y^Ujnq^^ ,jq^^ ■ HrUq^^ ,jq^^ ■■■■ ^f^niq^^ ,jq^^ '■ HfUq^^ ,jq^^ ■ Ug . 

Further, set 

Ml^k = {XUmq^^^jq^^ : Hmq,^,jq^Jc- (tlX {R}) Kq Ug 

of type {Iiumq^^,jq^^ ■ Hrnq,^,jq^Jc-A'^q{xnq-^bnq,u'g}, whcrc Granges over Lastly, let 

be obtained from Mi^k by replacing Mg^k with a fresh variable Xng ■ 

Then, |fix fi {R}} will correspond to the fixpoint of the following rule set: 



<P := U U 

i<n k&m. 



' Ue{l,...,g^,fe}'{^^I^"Jp' KIp'^PPK'^'^.n -J^n ' -^^^qrq^jgrq)) \^} 

(ai, ...,ajk^, (A;, lufcjp), J,,) 

^ = ^mq^^,jq^^ G I-^mqri J9r-il' •••''""^9rg J9rg ^ \Hmq^^ ,3q^^\, 

ae [B^,il,...,[S^,feJ, 

'"q'r ^ P'"mq^,j,^ '■ HrUq^Jq^- Xi^^^j^^ P Wjnq^Jq^J, 

p associates a. to a, i;^^ to a^^, r G {1, /i}, 

"^q ^ I(n^"l«T-c'J9rc ■ ^1^qrc'jqrc^(^"^nq{^nq '■ ^nq)^g}]p) 

?7 associates a to a, 1;^^ to a^^, r G {1, h}, and to -'^ng-j' 

We set |fix {R}} ■= lam(/t), where h is & function such that 

h{ai, Ofe^, (A;, 4)) = XJ'(*)(ai, a^^, (A;, 4)) 
where a, {k,Zk) G l-B^l- 
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